Witty Coder

WhatsApp tumhare message ke liye server se baar-baar nahi puchta — wo persistent connection rakhta hai.

Ek tick = server. Do tick = delivered. Blue = read. Offline pe message queue hota hai.

Save this — interview me ‘Design WhatsApp’ aata hai 🔖

Full breakdown 👉 wittycoder.in/whatsapp-system-design

Comment ‘CHAT’ for it.

Tumhara app har 2 second server se puchta hai ‘kuch naya hai?’ — ye galti hai.

Polling = waste. Long polling = thoda better. WebSocket = ek connection, server khud push karta hai.

Save this before your next real-time feature 🔖

Real-time design notes 👉 wittycoder.in/websocket-vs-polling

Comment ‘SOCKET’ for it.

Redis aur Memcached dono cache hain — par ek galat choose kiya to scale pe dikkat aa jaayegi.

Memcached = simple + multi-threaded. Redis = data structures + persistence + pub/sub.

Save this for your next system design interview 🔖

Full caching cheat-sheet 👉 wittycoder.in/redis-vs-memcached

Comment ‘REDIS’ and I’ll point you to it.

The folder structure you learned in tutorials
will get you fired in a production codebase. 🧵

Tutorials teach: routes/ models/ controllers/
That works alone. Breaks with a team.

What scales: separate by feature, not type.

Instead of:
controllers/users.js
controllers/orders.js
models/users.js

Do this:
users/users.controller.js
users/users.service.js
users/users.routes.js

Everything for a feature lives together.
New dev can find anything in under 30 seconds.

The real cost of a bad structure isn’t messy files.
It’s 20 minutes of searching, every day, per developer.

Structure for the developer who hasn’t joined yet.

Save this 👆

One wrong cache update once showed yesterday’s bank balance to millions of users.
Learn why engineers delete cache entries instead of updating them, the race condition that makes updating dangerous, and how production systems combine both strategies.
Follow The Witty Coder — everyday products explained through backend engineering.

When you tap Pay, you’re not talking to the merchant.
You’re starting a 6-company conversation in 1.5 seconds. 🧵

One common card payment flow:
👤 You → Payment gateway → Acquiring bank → Card network → Your bank
↑ Approval travels back the same chain

Six hops out. Six hops back.

If any hop fails silently → “Payment failed.” No reason. No hop number.

That’s why payment reconciliation exists — a background job that catches gaps between what was charged and what was confirmed.

Six companies. One tap. 1.5 seconds.

Save this 👆

Netflix can push a feature to your account and roll it back in under a second.

No deployment. No downtime. 🧵

Think of it like light switches already wired into the walls.
The code is deployed. The wire is live.
You just haven’t flipped the switch.

How it works:
→ New feature ships hidden behind a flag (just true/false in Redis)
→ Roll out to 1% → watch metrics → 10% → 50% → 100%
→ Something breaks → flip flag off → instant rollback
→ Also powers A/B testing — same codebase, two variants, flags decide who sees what

The unlock:
Deploy whenever.
Release when you’re ready.

Save this 👆

Your bank doesn’t log you out because you stopped clicking.
It logs you out because of a threat it calculated. 🧵

Two common approaches:

Server-side sessions:
→ Token in DB, inactivity timer resets each request
→ Go quiet → session deleted → easy to revoke instantly

JWTs:
→ Expiry baked into token, server stores nothing
→ Fast, scalable — but hard to revoke mid-flight without a blocklist

Banks often use server-side sessions for sensitive operations.
If suspicious activity hits — they need to kill your session NOW.

The 5-minute timeout is a risk decision. Not a UX choice.

Save this 👆

When you click Forgot Password —
the website can’t see your password. It never could.

Here’s what actually happens 👇

→ Passwords are stored as hashes — one-way, can’t be reversed
→ Click Forgot Password → server makes a random token, stores its hash, emails you the raw token
→ You click the link → server re-hashes, compares, checks timestamp
→ All 3 match → you get to reset. Token deleted immediately.

Same link twice → already gone. By design.

If a company ever emails you your actual password — they stored it in plain text. Run.

You can’t recover a password. You can only replace it.

Save this 👆